Create the Required Service Principal by Creating an Application Registration

<

Horizon Cloud needs a service principal to access and use your Microsoft Azure subscription's capacity for your Horizon Cloud nodes. When you register a Microsoft Azure AD application, the service principal is also created. Also, you must generate an authentication key and assign the Contributor role to the service principal at the subscription level.

Important:

The service principal must have the Contributor role, and not the Owner role. Even though you might think having the Owner role is good enough to use, as a superset of the Contributor role privileges, the node deployment process specifically requires the Contributor role. The wizard will block you from continuing to the next step if the service provider has any role other than Contributor. The reason for requiring the specific Contributor role is so that you do not give the node the fullest level of permissions in your subscription. The idea is to give the node only as much access to your Microsoft Azure environment as needed for Horizon Cloud operations. The Microsoft Azure role-based access control (RBAC) provides the Contributor role for the purpose of creating and managing resources in your subscription, which is the level of permissions that Horizon Cloud needs. For details, see Built-in roles for Azure role-based access control in the Microsoft Azure documentation.

You perform these steps using the Microsoft Azure portal appropriate for your registered account. For example, there are specific portal endpoints for these Microsoft Azure clouds.

Even though you can set the key's expiration duration to a specific timeframe, if you do that, you must remember to refresh the key before it expires or the associated Horizon Cloud node will stop working. Horizon Cloud cannot detect or know what duration you set. For smooth operations, set the key's duration to Never expires.

If you prefer not to set Never expires and prefer instead to refresh the key before it expires, you must remember to log in to the Horizon Cloud Administration Console before the expiration date and enter the new key value in the associated node's subscription information. For detailed steps, see the Update the Subscription Information Associated with Deployed Nodes topic in the VMware Horizon Cloud Service on Microsoft Azure Administration Guide.

The name is up to you. The name is a way you can differentiate this service principal used by Horizon Cloud from any other service principals that might exist in this same subscription.

Application type

Ensure Web app / API is selected (the default value).

Sign-on URL

Type http://localhost:8000 as shown. Microsoft Azure marks this as a required field. Because Horizon Cloud does not need a sign-on URL for the service principal http://localhost:8000 is used to satisfy the Microsoft Azure requirement.

Now the newly created item is displayed on screen.

Click the service principal's icon to collect its application ID from its details.

Copy the application ID to a location where you can retrieve it later when you run the deployment wizard.

From the service principal's details screen, create the service principal's authentication key.

The key description must be 16 characters or less, for example Hzn-Cloud-Key1.

Caution:

You can set the expiration duration to Never expires or to a specific timeframe. However, if you set a specific duration, you must remember to refresh the key before it expires and enter the new key into the node's subscription information in the Horizon Cloud Administration Console. Otherwise, the associated node will stop working. Horizon Cloud cannot detect or know what duration you set.

Important:

Keep the Keys screen open until you copy the key value and paste the value into a location where you can retrieve it later. Do not close the screen until you have copied the key value.

Copy the key value to a location where you can retrieve it later when you run the deployment wizard.

Assign the Contributor role to the service principal at the subscription level.

Caution:

The service principal must have the Contributor role, and not the Owner role. Even though you might think having the Owner role is good enough to use, as a superset of the Contributor role privileges, the node deployment process specifically requires the Contributor role. The node deployment wizard will block you from continuing to the next step if the service provider has any role other than Contributor.

Navigate to your subscription's settings screen by clicking (Subscriptions) in the Microsoft Azure portal's main navigation bar and then click the name of the subscription that you will use with the node.

Note:

At this point, from the screen, you can copy the subscription ID which you will later need in the deployment wizard.

Click (Access control (IAM)) and then click Add to open the Add permissions screen.

In the Add permissions screen, select Contributor for Role and then use the Select box to search for your service principal by the name you gave it.

Note:

Make sure the Assign access to drop-down list is set to Azure AD user, group, or application.

Click your service principal to make it a selected member and then click Save.

Verify that your subscription has the registered resource providers that the node requires.

From the Access control (IAM) screen you are on from the previous step, navigate to the subscription's list of resource providers by clicking (Resource providers) in the subscription's menu.

Verify that the following resource providers have (Registered) status, and if not, register them.

Microsoft.Compute

microsoft.insights

Microsoft.Network

Microsoft.Storage

Microsoft.KeyVault

Results

At this point, you've created and configured the service provider for the node, and you have three of the subscription-related values you need in the first step of the node deployment wizard. You also need the Azure Active Directory ID. Obtain that ID in the Microsoft Azure portal by clicking > (under Manage).